IAM: Hands-On
In this lesson, we will get started with IAM.
This lesson will explore Cloud IAM using GUI and cloud shell. (Google Cloud Ephemeral Shell Environment.) This demo requires more than one user in your GCP project, so we already have the first user as yourself (as IAM lists your email ID as a user); we will create a second user in our current project.
Use of service account#
Remember that we have different kinds of members in GCP IAM. We will use a service account to imitate multiple users in our GCP account. So, let’s start.
Cloud IAM quick start#
In this hands-on lab, we will create two users. Then, the new user will be permitted to list the contents of a bucket. (A Cloud Storage Bucket is cloud storage that can store any object.) Next, we will remove the permissions and try to list the bucket’s contents again.
Creating a second user#
-
Open the GCP console.
-
Go to IAM & Admin > Service Accounts
Update: IAM & Admin is restructured into
Identity & Securitymenu in latest update. To access the service account menu, Goto Identity & Security > Identity > Service Accounts.
- Click on “Create Service Account.”
-
Provide a name for SA(Service Account).
-
Provide any description if required.
-
Leave the optional field, move forward, and click “Create”. Then click on the “Done” button.
Assign a role to the new user#
Now that we have two users in our project let’s give some permissions to the newly created user. Without any permissions, the user will not be listed under IAM users.
-
Open IAM & Admin > IAM
-
Click the “Add” button.
-
In the new members’ input field, type the new user name, which will auto-populate.
-
To assign a role, scroll down and select Cloud storage > Storage Object Viewer.
-
Click on Save.
Creating a Storage Bucket#
Now that we have two users let’s create a bucket and upload one random file to it.
- Go to Main Menu > Storage > Browser
- Click on the “CREATE BUCKET” button.
- Provide any unique name, leave all defaults as it is, and hit the “CREATE” button.
- Upload any random file from your system.
The file will be uploaded to the bucket. You can also see the uploading status of the file.
Cloud shell#
Now, we will use a cloud shell to list the bucket’s contents using the newly created service account.
- Click on the “Activate cloud shell” icon in the top right corner. The cloud shell will take some time to start. Meanwhile, you can download the service account key file.
To use a service account outside of Google Cloud, such as on other platforms or in a cloud shell, you must first establish the service account’s identity. We will create a private key file to do that in Step 4. Make sure you keep this file safe and secure.
-
Go to IAM & Admin > Service Accounts
-
To create a key file/identity file for the service account, click the 3 dot icon on the right side. Click on the “Manage Keys” option.
- Click on the “Create new key” option and choose “JSON” format for the file type. Click on “CREATE” to download the identity file.
- Upload the downloaded key file to the cloud shell using the three-dot icon and “Upload File” option.
- In cloud shell, type:
gcloud auth activate-service-account --key-file=[path/to/keyfile.json]. Using this command, we will use the service account email as a logged-in user.
gcpheadstart@cloudshell:~ (gcp-headstart-educative)$ gcloud auth activate-service-account --key-file=gcp-headstart-educative-308308-914a4bba983d.json
Activated service account credentials for: [iam-quickstart@gcp-headstart-educative.iam.gserviceaccount.com]
- This will activate the service account user. To verify, type
gcloud config list.
gcpcourseeducative@cloudshell:~ (gcp-headstart-educative-308308)$ gcloud config list
[component_manager]
disable_update_check = True
[compute]
gce_metadata_read_timeout_sec = 30
[core]
account = iam-quickstart@gcp-headstart-educative-308308.iam.gserviceaccount.com
disable_usage_reporting = True
project = gcp-headstart-educative-308308
[metrics]
environment = devshell
Your active configuration is: [cloudshell-30113]
-
Type:
gsutil ls gs://[bucketname]. If you are following the steps as it is, then the bucket name will be iam-demo-educative.This command should list the bucket’s content—the file you uploaded to the bucket earlier.
Now, remove the user’s permissions using IAM & Admin > IAM.
-
Click the pencil icon on the right at the user, and then delete the assigned role by clicking the delete button.
-
Save it. Come back to cloud shell and type,
gsutil ls gs://[bucketname]. -
You should get an “AccessDeniedException: 403 Error”.
Roles take some time to activate, and sometimes, the cache makes it difficult. So, if you see that your permissions need to be applied immediately, don’t panic. Most likely, it’s because of a local cache of the GCP cloud shell. Once you restart the cloud shell session or refresh the web page, you are good to go.
You can try different roles to explore all the predefined roles.
This completes the quick start lab for Cloud IAM. Remember to delete the storage bucket by clicking the three dots icon (Kebab Menu) associated with the bucket so you don’t get billed for the bucket.
All GCP services expose APIs. You must have heard that Google introduced a new Vision API, and similarly, Google Cloud services have API for everything. The next step will be to learn more about using and enabling GCP APIs.
IAM Members and Policies
Enabling APIs